On all our certificates renewals we are receiving errors.
Seems like Letsencrypt servers are unable to reach our domains.
Are you aware of any network issue or renewal issues?
Attempting to renew cert (xxxx.yyyy.net) from /etc/letsencrypt/renewal/xxxx.yyyyy.net.conf produced an unexpected error: Failed authorization procedure. xxxxx.yyyy.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, xxxxx.yyyy.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
It looks like you've been able to successfully issue for this name in the past few hours. The IPv4 address resolved is the same as the one that was timing out earlier today. Did you change anything on your side to resolve the issue?
I still see timeouts in the validation authority logs for this domain. They look like true positives to me based on the request timestamps. The VA attempts to validate the name by connecting to port 443 on the resolved IPv4 address and 10s later fails due to a timeout.
Is the server in question under high load or running slowly?
Server is using same configuration as before (before renewal). We didn’t change anything. Nginx is working as reverse proxy as before. Maybe we did a minor nginx plus upgrade.
No load on server, load is 0.01.
Now csbno.net get the renewal. But other domains still going into timeout.
tls-sni-01 challenge for reanet.comperio.it
tls-sni-01 challenge for reanet.comune.empoli.fi.it
tls-sni-01 challenge for reanet.comune.empoli.firenze.it
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (reanet.comperio.it) from /etc/letsencrypt/renewal/reanet.comperio.it.conf produced an unexpected error: Failed authorization procedure. reanet.comune.empoli.firenze.it (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
This morning (CET) we continue to experience timeout in renewals of all our domains.
Domain are visible from outside the worl.
Do we have another way to renew certificates?
Can you identify the validation authority requests in your server logs, or perform a packet capture to do so? Specifically I'm interested in hearing whether your server sees the requests at all, and if it does, what time they arrive at and what time the response is delivered.
Using a DNS-01 challenge as opposed to TLS-SNI-01 or HTTP-01 would likely side-step these timeouts.